[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP3839734A1 - Integration of an orchestration services with a cloud automation services - Google Patents

Integration of an orchestration services with a cloud automation services Download PDF

Info

Publication number
EP3839734A1
EP3839734A1 EP19217193.2A EP19217193A EP3839734A1 EP 3839734 A1 EP3839734 A1 EP 3839734A1 EP 19217193 A EP19217193 A EP 19217193A EP 3839734 A1 EP3839734 A1 EP 3839734A1
Authority
EP
European Patent Office
Prior art keywords
workflow
security group
rule
vro
snow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP19217193.2A
Other languages
German (de)
French (fr)
Inventor
Konrad CLAPA
Olena ZHUK
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agarik SAS
Original Assignee
Atos Uk It Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Atos Uk It Ltd filed Critical Atos Uk It Ltd
Priority to EP19217193.2A priority Critical patent/EP3839734A1/en
Priority to US17/123,894 priority patent/US11902329B2/en
Publication of EP3839734A1 publication Critical patent/EP3839734A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Definitions

  • the invention relates to the field of cloud services management and provision.
  • cloud service providers offering hybrid and or multi-cloud services to major corporation has the challenge of providing orchestration of a vast number of legacy infrastructures of multiple customers and multi-cloud environments (Private / Public / Various brands GCP, AWS, Azure, VMware, OracleVM).
  • Virtualization of computing infrastructures is a fundamental process that powers cloud computing in order to provide services to customers requesting services on a cloud platform through a portal.
  • the features of the virtualization software are not well integrated with a services management unit of the cloud platform, the customers may not be able to access certain functionalities of the cloud platform, which can have a negative impact on the quality of service provided by said cloud platform.
  • CMP Cloud Service orchestration/processing module
  • CMP Cloud Automation Service
  • vSphere a virtualization software
  • the very basic integration does not allow to manage vSphere Virtual Machines (VMs) using the cloud management portal.
  • the present invention therefore has the object to obviate certain drawback of the prior art by proposing a computing infrastructure for providing cloud services to customers.
  • CMPP cloud management platform portal
  • CMPP cloud management platform portal
  • a system for managing security on a cloud management platform portal comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS) by using a REST API (Representational State Transfer Application Programing Interface) to access and configure a set of functionalities of the CAS of the platform hosting services in a portal so as to provision services to a customer, and a ServiceNow (SNOW) application comprising at least one set of herebelow routines comprising at least one of the following:
  • the system comprises a set of routines the execution of which on a processor provides to the CMPP a set of functionalities and applications comprising at least:
  • the set of functionalities and applications also comprises:
  • Another goal of the invention also concerns a method for providing cloud services to customers.
  • This goal is achieved by a process for managing a security group on a cloud management platform portal by means of a system for managing security as described in the invention, the system comprising a set of software codes executed on a processor of the platform to implement the process for managing a security group, said process being characterized in that it comprises at least one of the following:
  • a set of software codes is executed on the platform for creating a security group (SG), said creation of a security group process comprising:
  • a set of software codes is executed on the platform for modifying an existing security group, said modification of an existing security group process comprising the following steps:
  • a set of software codes is executed on the platform for deleting a security group, said deletion of a security group process comprising the following steps:
  • a set of software codes is executed on the platform for configuring a SDN security group rule, said configuration of a SDN security group rule process comprising at least one of the sub-steps:
  • a set of software codes is executed on the platform for creating a SDN security group rule, said creation of a SDN security group rule process, comprising:
  • a set of software codes is executed on the platform for modifying a SDN security group rule, said modification of a SDN security group rule process comprising the following steps:
  • a set of software codes is executed on the platform for deleting a SDN security group rule, said deletion of a SDN security group rule process comprising the following steps
  • the system for managing security is used in a server for managed PaaS (Platform as a service) comprising, in a container-based architecture, at least a processor and memories to save data and executable softwares so as to embed a cloud application software into a fully managed PaaS stack, abstracting complex hybrid Infrastructure as a Service (IaaS) away, said server being characterized in that the SNOW application of the system for managing security represents a first layer of said server, executed on at least a processor and is configured to:
  • the SNOW application is executed on the server for managed PaaS and displayed on a console adapted to the cloud application integrated software by integrating a specific API configured to interface the SNOW (ServiceNow) application language and command to the language and command of the cloud Application integrated software.
  • the system for managing security is used in an orchestrate Hybrid cloud system wherein a SAP (Systems, Applications and Products for data processing) administration is supported by said security management system for security audit and backup monitoring purpose and provisioning by:
  • SAP Systems, Applications and Products for data processing
  • the SNOW application execution on a processor of a computing device of the Orchestrated Hybrid cloud, provides an interface for enabling a user to determine any of the following parameters:
  • the present invention concerns a system for managing security on a cloud management platform portal (CMPP (1)).
  • CMPP (1) cloud management platform portal
  • the system comprises a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) by using a REST API (3) (Representational State Transfer Application Programing Interface) to access and configure a set of functionalities of the CAS (4) of the platform hosting services in a portal so as to provision services to a customer, and a ServiceNow (2) (SNOW (2)) application comprising at least one the set of herebelow routines comprising at least one of the following:
  • the ServiceNow (2) application may also comprises at least one the set of herebelow routines comprising at least one of the following
  • a security group is a container for security group rules. Security groups and security group rules may allow administrators/manager to specify the type of traffic that is allowed to pass through a port.
  • VM virtual machine
  • VN virtual network
  • the SDN is an approach to networking that separates a control plane from a forwarding plane to support virtualization of computing infrastructures or systems.
  • the ServiceNow (2) (SNOW) application is a Cloud service processing/orchestration module or program or code.
  • the system for managing security on a cloud management platform portal comprises a set of routines which execution on a processor provides to the CMPP (1) a set of functionalities and applications comprising at least:
  • a Disaster Recovery Pod is an additional infrastructure that may be used to host the workloads after disaster occurs in a primary site.
  • the set of applications provided to the CMPP (1) by the execution of the set of routines included in the system for managing security on a cloud management platform portal may comprise a vRA (vRealize Automation) application for automation of cloud services.
  • vRA vRealize Automation
  • the set of functionalities and applications provided to the CMPP (1) by the system the system for managing security on a cloud management platform portal (CMPP (1)) through the execution of a set of routines on a processor, may also comprise:
  • a distributed firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks.
  • the NSX (7) Distributed firewall is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
  • a flow is identified by the following:
  • Distributed firewall can help in creating identity-based rules as well. Administrators can enforce access control based on the user's group membership as defined in the enterprise Active Directory. For example, and without limitation, some scenarios where identity-based firewall rules can be used are:
  • Edge Firewall monitors the North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality. This solution is available in the virtual machine form factor and can be deployed in a High Availability mode.
  • NAT Network Address Translation
  • SSL VPN Secure Sockets Layer
  • the invention also concerns a method for managing security group on a cloud management platform portal.
  • the process for managing a security group on a cloud management platform portal comprising a set of software codes executed on a processor the platform to implement the process for managing a security group, said process being characterized in that it comprises at least one of the following:
  • a set of software codes is executed on the platform for creating a security group (SG), said creating a security group process comprising, as illustrated on Figure 2 :
  • a set of software codes is executed on the platform for modifying an existing security group, said modifying an existing security group process comprising, as illustrated on Figure 3 :
  • a set of software codes is executed on the platform for deleting a security group, said deleting a security group process comprising as illustrated on Figure 4 :
  • a set of software codes is executed on the platform for adding server to a security group (not illustrated in the present invention), said adding server to a security group process comprising:
  • a set of software codes is executed on the platform for removing a virtual server to a security group (not illustrated in the present invention) and, said removing a virtual server to a security group comprising for the following steps:
  • a set of software codes is executed on the platform for configuring a SDN security group rule, said configuring a SDN security group rule process comprising at least one of the sub-steps:
  • a set of software codes is executed on the platform for creating a SDN security group rule, said creating a SDN security group rule comprising, as illustrated on Figure 5 :
  • a set of software codes is executed on the platform for modifying a SDN security group rule, said modifying a SDN security group rule process comprising, as illustrated on Figure 6 :
  • a set of software codes is executed on the platform for deleting SDN security group rule, said deleting SDN security group rule process comprising, as illustrated on Figure 7 :
  • the system for managing security may be used in a server for managed PaaS (Platform as a service) comprising, in a container-based architecture, at least a processor and memories to save data and executable softwares so as to embed a cloud application software into a fully managed PaaS stack, abstracting complex hybrid Infrastructure as a Service (IaaS) away.
  • the SNOW application of the system for managing security may represent a first layer of said server for managed PaaS, executed on at least a processor and configured to:
  • the SNOW application is executed on the server for managed PaaS and displayed on a console adapted to the cloud application integrated software (Apprenda) by integrating a specific API configured to interface the SNOW (ServiceNow (2)) application language and command to the language and command of the cloud Application integrated software (Apprenda).
  • system for managing security may be used in an orchestrate Hybrid cloud system wherein a SAP (Systems, Applications and Products for data processing) administration is supported by said security management system for security audit and backup monitoring purpose and provisioning by:
  • SAP Systems, Applications and Products for data processing
  • the SNOW application execution, of the system for managing security used in the Orchestrated Hybrid Cloud system, on a processor of a computing device of the Orchestrated Hybrid cloud system provides an interface for enabling a user to determine any of the following parameters:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention concerns system for managing security on a cloud management platform portal (CMPP (1)), the system comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) so as to provision services to a customer, and a ServiceNow (2) (SNOW) application comprising at least one the set of herebelow routines comprising at least one of the following:.• a network Standard Service Request (SSR (20)) to delete a security group (SG)• a network SSR (20) to create a new Security group• a network SSR (20) to modify an existing Security group• a network activity SSR (20) to delete a Software-Defined Networking (SDN) Security group rule on hyper-converged platforms• a network activity SSR (20) to create a new SDN Security group rule on hyper-converged platforms• a network activity SSR (20) to modify an existing SDN (Software defined Networking) Security group rule on hyper-converged platforms• a network SSR (20) to remove a virtual machine from a Security group• a network SSR (20) to add a virtual machines (VM) to a Security group

Description

    TECHNICAL FIELD OF THE INVENTION
  • . The invention relates to the field of cloud services management and provision.
  • STATE OF THE PRIOR ART
  • Generally, cloud service providers offering hybrid and or multi-cloud services to major corporation has the challenge of providing orchestration of a vast number of legacy infrastructures of multiple customers and multi-cloud environments (Private / Public / Various brands GCP, AWS, Azure, VMware, OracleVM).
  • Virtualization of computing infrastructures is a fundamental process that powers cloud computing in order to provide services to customers requesting services on a cloud platform through a portal. However, when the features of the virtualization software are not well integrated with a services management unit of the cloud platform, the customers may not be able to access certain functionalities of the cloud platform, which can have a negative impact on the quality of service provided by said cloud platform.
  • For example, customers using the ServiceNow (a cloud service orchestration/processing module) cloud management portal (CMP) are not able to leverage said ServiceNow cloud management portal (CMP) to provision services via a Cloud Automation Service (CAS). Only basic integration with vSphere, a virtualization software, is present. This only includes provisioning and powers state changes services. The very basic integration does not allow to manage vSphere Virtual Machines (VMs) using the cloud management portal.
  • The implication is that customers using ServiceNow (SNOW) Cloud management portal (CMP) are not able to get fully featured vSphere capabilities. The current vCenter implementation is limited in scope and lacking flexibility for extension and innovation around the Vmware environment.
  • Therefore, there is a need for a system that solves this typical problem
  • SUMMARY OF THE INVENTION
  • The present invention therefore has the object to obviate certain drawback of the prior art by proposing a computing infrastructure for providing cloud services to customers.
  • This goal is achieved by a system for managing security on a cloud management platform portal (CMPP), the system comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS) by using a REST API (Representational State Transfer Application Programing Interface) to access and configure a set of functionalities of the CAS of the platform hosting services in a portal so as to provision services to a customer, and a ServiceNow (SNOW) application comprising at least one set of herebelow routines comprising at least one of the following:
    • a network Standard Service Request (SSR) to delete a security group (SG)
    • a network SSR to create a new Security group
    • a network SSR to modify an existing Security group
    • a network activity SSR to delete a Software-Defined Networking (SDN) Security group rule on hyper-converged platforms
    • a network activity SSR to create a new SDN Security group rule on hyper-converged platforms
    • a network activity SSR to modify an existing SDN (Software defined Networking) Security group rule on hyper-converged platforms
  • According to another feature, the system comprises a set of routines the execution of which on a processor provides to the CMPP a set of functionalities and applications comprising at least:
    • a ServiceNow (SNOW) application comprising the above set of SSRs for delivering a set of services and comprising a Master Snow Workflow Dispatcher (MSWD)
    • a REST API (Representational State Transfer Application Programing Interface)
    • a MID (MID Server is a Java application that runs on a server on a local network) server for allowing communication and movement of data between the platform and external applications, data sources, and services or for passing a call to Master vRO dispatcher
    • a Master vRO (vRealize Orchestrator) for automation of workflow processes
    • a slave vRo for automation of workflow processes
    • a set of Security Group Applications (SGA) for implementing processes related to security group set up
    • a Disaster recovery (DR) Pod application for hosting workloads after disaster occurs in a primary site
    • a cloud Management database (CMDB)
  • According to another feature, the set of functionalities and applications also comprises:
    • a set of SDN security group rule applications for implementing processes related to security group rule set up
    • a NSX Firewall comprising distributed and edge firewall
    • a SSR workflow dispatcher
  • Another goal of the invention also concerns a method for providing cloud services to customers.
  • This goal is achieved by a process for managing a security group on a cloud management platform portal by means of a system for managing security as described in the invention, the system comprising a set of software codes executed on a processor of the platform to implement the process for managing a security group, said process being characterized in that it comprises at least one of the following:
    • Creating a security group (SG)
    • Modifying an existing security group
    • Deleting a security group
    • Adding server to a security group
    • Removing a virtual server to a security group
    • Configuring a SDN security group rule
  • According to another feature, a set of software codes is executed on the platform for creating a security group (SG), said creation of a security group process comprising:
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the CMPP,
    • Calling a Rest API call
    • passing the call to Master vRO dispatcher by means of the MID Server
    • calling a SSR "Create a Security group workflow" by means of the Master vRO dispatcher controlling the Master worflows
    • triggering a "Create Security group wrapper" by means of a Master workflow
    • triggering a remote workflow on slave vRO by means of the Security Group Wrapper
    • updating data on a NSX firewall via rest API by means of the Slave vRO workflow
    • triggering Provision Security Group Configuration Item in CMDB workflow by means of the Master workflow
    • triggering Modify Name of Security Group belonging to the "Modify SG " SSR with Sys_id Wrapper (which is returned by CMDB) workflow by means of the Master vRO workflow.
    • Modifying Name and description of Security Group via rest API by means of the Slave vRO workflow
    • If DR Pod (11a) exists, then triggering in the same way creation of Security Group in Slave vRO of DR Pod (11a)
    • updating the status of the request to SNOW via Rest API by means of the Master Snow Workflow Dispatcher.
  • According to another feature, a set of software codes is executed on the platform for modifying an existing security group, said modification of an existing security group process comprising the following steps:
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the CMPP
    • Calling a Rest API call
    • passing the call to Master vRO dispatcher by means of the MID Server
    • calling a SSR (1IAAS306c) "Modifying a security group workflow" by means of the Master vRO dispatcher
    • triggering Modify a Security group wrapper by means of the Master workflow
    • triggering remote workflow on slave vRO by means of the security group Wrapper
    • updating data on a NSX firewall by means of Slave vRO workflow via rest API
    • If DR Pod (11a) exists, then triggering the same way, modification of Security Group in Slave vRO of DR Pod
    • updating the Status of the request to SNOW by means of the Snow Workflow Dispatcher (MSWD) via Rest API
  • According to another feature, a set of software codes is executed on the platform for deleting a security group, said deletion of a security group process comprising the following steps:
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the CMPP
    • Calling a Rest API call
    • passing the call to Master vRO dispatcher by means of the MID Server
    • calling a "deleting a security group workflow" by means of the Master vRO dispatcher
    • triggering Delete Security group wrapper by means of the Master workflow or triggering "APPLY_ON" SG Delete Security group wrapper by means Master workflow
    • triggering remote workflow on slave vRO by means of the delete Security Group Wrapper
    • updating data on NSX by means of the Slave vRO workflow via rest API
    • If DR pod exists, then triggering in the same way removing of Security Groups in Slave vRO of DR Pod
    • triggering Provision Security Group Configuration Items in CMDB workflow by means of the Master workflow, if DR Pod does not exist
    • updating CMDB security group Configuration Items by means of Provision Security Group CI in CMDB workflow via Snow Rest API
    • updating the Status of the request to SNOW by means of the Snow Workflow Dispatcher via Rest API.
  • According to another feature, a set of software codes is executed on the platform for configuring a SDN security group rule, said configuration of a SDN security group rule process comprising at least one of the sub-steps:
    • Creating a SDN security group rule;
    • Modifying a SDN security group rule;
    • Deleting SDN security group rule
  • According to another feature, a set of software codes is executed on the platform for creating a SDN security group rule, said creation of a SDN security group rule process, comprising:
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the ;
      • passing the call to Master vRO dispatcher by means of the MID Server
      • triggering SNOW Workflow Dispatcher with following input
        • WorfklowlD (Friendly name of the vRO workflow to be executed)
        • Json (containing Parameters with input parameter for workflow to be executed)
        • RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
      • triggering a SSR "create SDN security group rule" Workflow passing all input parameters by means of the SNOW Workflow Dispatcher
      • calling Create NSX Firewall Rule Wrapper workflow
      • creating Inputs for the Create NSX Firewall Rule workflow and passing them through to the workflow via the Multi-Node Execute workflow wrapper
      • created an NSX Firewall Rule under a new or existing Firewall section within the Create NSX Firewall Rule workflow on the slave POD
      • executing the Provision Firewall Rule CI in SNOW CMDB workflow to keep CMDB up to date at return to the main ACCP (Atos cloud control platform) workflow after successful Firewall rule creation
      • executing Modify NSX Firewall Rule Wrapper workflow to rename new firewall rule name with identity of database CMDB id
      • executing Disaster recovery (DR) Enabled entry check
      • calling DR Create NSX Firewall Rule Wrapper workflow
    • creating Inputs for the DR Create NSX Firewall Rule Wrapper workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper
  • According to another feature, a set of software codes is executed on the platform for modifying a SDN security group rule, said modification of a SDN security group rule process comprising the following steps:
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the CMPP;
    • passing the call to Master vRO dispatcher by means of the MID Server
    • triggering SNOW Workflow Dispatcher with following input
      • WorfklowlD (Friendly name of the Master vRO workflow to be executed)
      • Json (containing Parameters with input parameter for workflow to be executed)
      • RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
    • triggering a SSR "Modify SDN security group rule Workflow" passing all input parameters by means of the SNOW Workflow Dispatcher
    • calling the Modify NSX Firewall Rule Wrapper workflow
    • creating Inputs for the Modify NSX Firewall (FW) Rule workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper
    • modifying an NSX Firewall Rule under an existing Firewall section within the Modify NSX Firewall Rule workflow on the slave POD, is
    • checking whether DR Pod and DR Location information was sent from snow at the return to the main ACCP workflow after a successful FW rule modification, If yes - calling the same wrapper workflow for DR pod and making same modifications to DR Firewall Rule, the Firewall Rule on DR site being searched by name + DR suffix.
    • If no, executing Provision Firewall Rule CI in SNOW CMDB workflow to keep CMDB up to date
    • Updating the Status of the request to SNOW via Rest API by means of the Snow Workflow Dispatcher.
  • According to another feature, a set of software codes is executed on the platform for deleting a SDN security group rule, said deletion of a SDN security group rule process comprising the following steps
    • Inviting a user to fill in a form and submit it in ServiceNOW through an interactive interface of the CMPP
    • calling Rest API call
    • passing the call to Master vRO dispatcher by means of the MID Server
    • calling SSR Delete SDN Security group Rule workflow by dispatcher
    • triggering Delete NSX Firewall Rule wrapper by means of the Master workflow
    • triggering remote workflow on slave vRO by means of the NSX Firewall Rule wrapper
    • updating data on NSX via rest API by means of Slave vRO workflow
    • If DR pod exists, then triggering in the same way removing of Firewall Rule in Slave vRO of DR Pod.
    • triggering Provision/Decommission Firewall Rule CI in CMDB workflow by means of the Master workflow (Master vRO workflow).
    • updating CMDB
    • updating the Status of the request to SNOW via Rest API by means of the Master Snow Workflow Dispatcher.
  • According to another feature, the system for managing security, according the invention, is used in a server for managed PaaS (Platform as a service) comprising, in a container-based architecture, at least a processor and memories to save data and executable softwares so as to embed a cloud application software into a fully managed PaaS stack, abstracting complex hybrid Infrastructure as a Service (IaaS) away, said server being characterized in that the SNOW application of the system for managing security represents a first layer of said server, executed on at least a processor and is configured to:
    • parse and orchestrate a cloud service requested to consume from the cloud service user request
    • to select the cloud computing services and/or resources provided by the cloud service provider and/or a function mode,
    • execute a cloud service operation. and make end to end management in the cloud through dialog
      • with a second layer represented by a Cloud Application integrated software for application transformation and
      • a third layer represented by integrated softwares for infrastructure brokering with the public cloud managed by the integrated software.
  • According to another feature, the SNOW application is executed on the server for managed PaaS and displayed on a console adapted to the cloud application integrated software by integrating a specific API configured to interface the SNOW (ServiceNow) application language and command to the language and command of the cloud Application integrated software.
  • According to another feature, the system for managing security according to the invention, is used in an orchestrate Hybrid cloud system wherein a SAP (Systems, Applications and Products for data processing) administration is supported by said security management system for security audit and backup monitoring purpose and provisioning by:
    • Distribution of SAP monitoring templates by Automatically provisioning of computing resources in virtual environments;
    • Software Control and Distribution for Distributing of Monitoring agents
    • Patch Management for providing Regular patching of Monitoring agents
    • Security Compliancy for satisfying Security compliance according rules, laws and IT Controls
    • System Management for providing System administration task automation, central administration, Inventory, Detailed software inventory for SAP and Used as data source for CMDB.
  • According to another feature, the SNOW application execution, on a processor of a computing device of the Orchestrated Hybrid cloud, provides an interface for enabling a user to determine any of the following parameters:
    • time window for support availability
    • time window for incident handling depending on priority
    • time window for change handling
    • Enterprise resource planning (ERP) dialog response time
    • virtual relational database management system (such as Hana) server size
    • physical relational database management system (such as Hana) server size
    • initial and minimal relational database management system (such as Hana) storage size
    • data recovery parameter such as RPO (recovery point objective), or RTO (recovery time objective)
    SHORT DESCRIPTION OF THE FIGURES
  • Other features, details and advantages of the invention will become apparent upon reading the description which follows with reference to the appended figures, which illustrate:
    • Figure 1, illustrates a system for managing security on a cloud management platform portal according an embodiment, according one embodiment;
    • Figure 2, illustrates the process for creating a security group (SG), according one embodiment;
    • Figure 3 illustrates the process for modifying a security group (SG), according one embodiment;
    • Figure 4 illustrates the process for deleting a security group (SG), according an embodiment.
    • Figure 5 illustrates the process for creating a Software-Defined Networking (SDN) security group rule, according an embodiment;
    • Figure 6 illustrates the process for modifying a Software-Defined Networking (SDN) security group rule, according an embodiment;
    • Figure 7 illustrates the process for deleting a Software-Defined Networking (SDN) security group rule, according an embodiment.
    DISCUSSION OF THE INVENTION
  • The present invention concerns a system for managing security on a cloud management platform portal (CMPP (1)).
  • Many combinations may be contemplated without departing from the scope of the invention; one skilled in the art will select either one depending on economical, ergonomical, dimensional constraints or others which he/she will have to observe.
  • In some embodiments, the system , as illustrated for example in Figure 1, comprises a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) by using a REST API (3) (Representational State Transfer Application Programing Interface) to access and configure a set of functionalities of the CAS (4) of the platform hosting services in a portal so as to provision services to a customer, and a ServiceNow (2) (SNOW (2)) application comprising at least one the set of herebelow routines comprising at least one of the following:
    • a network Standard Service Request (SSR (20)) to delete a security group (SG);
    • a network SSR (20) to create a new Security group;
    • a network SSR (20) to modify an existing Security group;
    • a network activity SSR (20) to delete a Software-Defined Networking (SDN) Security group rule on hyper-converged platforms (a software-defined IT infrastructure that virtualizes all of the elements of conventional "hardware-defined" systems.);
    • a network activity SSR (20) to create a new SDN Security group rule on hyper-converged platforms;
    • a network activity SSR (20) to modify an existing SDN (Software defined Networking) Security group rule on hyper-converged platforms;
  • In some embodiments, the ServiceNow (2) application may also comprises at least one the set of herebelow routines comprising at least one of the following
    • a network SSR (20) to remove a virtual machine from a Security group;
    • a network SSR (20) to add a virtual machines (VM) to a Security group;
  • A security group is a container for security group rules. Security groups and security group rules may allow administrators/manager to specify the type of traffic that is allowed to pass through a port. When a virtual machine (VM) is created in a virtual network (VN), a security group can be associated with the VM when it is launched.
  • The SDN is an approach to networking that separates a control plane from a forwarding plane to support virtualization of computing infrastructures or systems. The ServiceNow (2) (SNOW) application is a Cloud service processing/orchestration module or program or code.
  • In some embodiments, the system for managing security on a cloud management platform portal (CMPP (1)) comprises a set of routines which execution on a processor provides to the CMPP (1) a set of functionalities and applications comprising at least:
    • a ServiceNow (2) (SNOW) application comprising the above set of SSR (20)s for delivering a set of services and comprising a Master Snow Workflow Dispatcher (21) (MSWD);
    • a REST API (3) (Representational State Transfer Application Programing Interface);
    • A MID (MID Server (6) is a Java application that runs on a server on your local network) server for allowing communication and movement of data between the platform and external applications, data sources, and services or for passing a call to Master vRO (8) dispatcher;
    • A Master vRO (8) (vRealize Orchestrator) for automation of workflow processes;
    • A slave vRo (9) for automation of workflow processes;
    • A set of Security Group Applications (SGA (11B)) for implementing processes related to security group set up;
    • A Disaster recovery (DR) Pod application for hosting workloads after disaster occurs in the primary site;
    • a cloud Management database (CMDB (5)).
  • A Disaster Recovery Pod is an additional infrastructure that may be used to host the workloads after disaster occurs in a primary site.
  • In some embodiments, the set of applications provided to the CMPP (1) by the execution of the set of routines included in the system for managing security on a cloud management platform portal may comprise a vRA (vRealize Automation) application for automation of cloud services.
  • In some embodiments, the set of functionalities and applications, provided to the CMPP (1) by the system the system for managing security on a cloud management platform portal (CMPP (1)) through the execution of a set of routines on a processor, may also comprise:
    • a set of SDN security group rule applications for implementing processes related to security group rule set up
    • a NSX Firewall comprising distributed and edge firewall
    • a SSR (20) workflow dispatcher (Master vRO (8) dispatcher)
  • A distributed firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. The NSX (7) Distributed firewall is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. A flow is identified by the following:
    • Source address
    • Source port
    • Destination address
    • Destination port
    • Protocol
  • Distributed firewall can help in creating identity-based rules as well. Administrators can enforce access control based on the user's group membership as defined in the enterprise Active Directory. For example, and without limitation, some scenarios where identity-based firewall rules can be used are:
    • User accessing virtual applications using a laptop or mobile device where AD is used for user authentication
    • User accessing virtual applications using Virtual Desktop Infrastructure (VDI) where the virtual machines are Microsoft Windows-based
  • Edge Firewall monitors the North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality. This solution is available in the virtual machine form factor and can be deployed in a High Availability mode.
  • The invention also concerns a method for managing security group on a cloud management platform portal.
  • In some embodiments, the process for managing a security group on a cloud management platform portal, as described above, the system comprising a set of software codes executed on a processor the platform to implement the process for managing a security group, said process being characterized in that it comprises at least one of the following:
    • Creating a security group (SG)
    • Modifying an existing security group
    • Deleting a security group
    • Adding server to a security group
    • Removing a virtual server to a security group
    • Configuring a SDN security group rule
  • In some embodiments, a set of software codes is executed on the platform for creating a security group (SG), said creating a security group process comprising, as illustrated on Figure 2:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface (10) of the CMPP (1);
    • Calling a REST API (3) call
    • passing the call (E3) to Master vRO (8) dispatcher by means of the MID Server (6). Passing the call (E3) may comprise triggering the Master vRO (8) SSR workflow or Master vRO (8) dispatcher dispatcher or SSR workflow dispatcher.
    • calling (C100) a SSR (20) "Create a Security group workflow" by means of the Master vRO (8) dispatcher controlling the Master worflows
    • triggering (C101) a "Create Security group wrapper" by means of a Master workflow. In another embodiment, an "APPLYON_Create Security Group Wrapper" step (C102) is triggered. When the "Create Security group wrapper" step (C101 or C102) is executed, a Multi-node execution of workflows (C103, C103') may be launched.
    • triggering (C108, C108') a remote workflow on slave vRo (9) by means of the Security Group Wrapper
    • updating data (C109, C109') on a NSX firewall via REST API (3) by means of the Slave vRo (9) workflow
    • triggering (C104) Provision Security Group Configuration Item in CMDB (5) workflow by means of the Master workflow
    • triggering (E1042) Modify Name of Security Group belonging to the "Modify SG" SSR (20) with Sys_id Wrapper (which is returned by CMDB (5)) workflow by means of the Master vRO (8) workflow.
    • Modifying Name and description of Security Group via REST API (3) by means of the Slave vRo (9) workflow
    • If DR Pod (11a) exists (C105), then triggering in the same way creation of Security Group (C109') in Slave vRo (9) of DR Pod (11a) (steps C106, C107)
    • updating (E32) the status of the request to SNOW via REST API (3) by means of the Master Snow Workflow Dispatcher (21).
  • In some embodiments, a set of software codes is executed on the platform for modifying an existing security group, said modifying an existing security group process comprising, as illustrated on Figure 3:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • Calling a REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (M100) a SSR (20) "Modifying a security group workflow" by means of the Master vRO (8) dispatcher
    • triggering (M101) Modify a Security group wrapper by means of the Master workflow. In another embodiment, a "APPLYON_Modify Security Group Wrapper" step (M102) is triggered. When the "Modify Security group wrapper" step (M101 or M102) is executed, a Multi-node execution of workflows (M103, M103') may be launched.
    • triggering (M107, M107') remote workflow on slave vRo (9) by means of the security group Wrapper
    • updating (M108, 108') data on a NSX firewall by means of Slave vRo (9) workflow via REST API (3)
    • If DR Pod (11a) exists (M104), then triggering the same way, modification of Security Group in Slave vRo (9) of DR Pod (11a) (M105, M106)
    • updating (E32) the Status of the request to SNOW by means of the Snow Workflow Dispatcher (MSWD) via REST API (3)
  • In some embodiments, a set of software codes is executed on the platform for deleting a security group, said deleting a security group process comprising as illustrated on Figure 4:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • Calling a REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (D100) a SSR (20) "deleting a security group workflow" by means of the Master vRO (8) dispatcher
    • triggering (D101) Delete Security group wrapper by means of the Master workflow. When the "Delete Security group wrapper" step (D101 or D102) is executed, a Multi-node execution of workflows (D103, D103') may be launched.
    • triggering (D108) remote workflow on slave vRo (9) by means of the delete Security Group Wrapper
    • updating (D109) data on NSX by means of the Slave vRo (9) workflow via REST API (3)
    • In another embodiment, after calling (D100) the SSSR(20) "deleting a security group workflow", triggering (D102) for "APPLY_ON SG Delete Security group wrapper" by means Master workflow.
      • triggering (D108) remote workflow on slave vRo (9) by means of Delete Security group wrapper
      • updating (D109) data on NSX by means of the Slave vRo (9) workflow via REST API (3)
    • If DR Pod (11a) exists (D104), then triggering (D106 or D107, D103', D108' and D109') in the same way removing of Security Groups in Slave vRo (9) of DR Pod (11a)
    • Triggering (D105) Provision Security Group Configuration Items in CMDB (5) workflow by means of the Master workflow (f DR Pod (11a) does not exist)
    • updating (E1052) CMDB (5) security group Configuration Items by means of Provision Security Group CI in CMDB (5) workflow via Snow REST API (3)
    • updating (E32) the Status of the request to SNOW by means of the Snow Workflow Dispatcher via REST API (3).
  • In some embodiments, a set of software codes is executed on the platform for adding server to a security group (not illustrated in the present invention), said adding server to a security group process comprising:
    • 1) Inviting a user to fill in a form and submit it in ServiceNow (2) through an interactive interface of the CMPP (1)
    • 2) Calling a REST API (3) call
    • 3) passing the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • 4) triggering SSR (20) Workflow Dispatcher with at least one of input (or all of the inputs?) it gets from resource onelaasConfig.json
      • WorfklowID (Friendly name of the vRO workflow to be executed)
      • Json (containing Parameters with input parameter for workflow to be executed)
      • RITMID (identifier of the request in SNOW that will be updated with status by SSR (20) Workflow dispatcher)
    • 5) triggering a SSR (20) "ADD Virtual Machine" (AVM) to Security Group Workflow by means of the SSR (20) Workflow Dispatcher Workflow
    • 6) checking DPC Version and calling "Add Virtual Machine functionality" to Security Group Wrapper Workflow by means of the SSR (20) "ADD Virtual Machine to Security Group Workflow" and then calling a "Multi-Node Execute workflow" by means of the Security Group Wrapper.
    • 7) Triggering the "Add Virtual Machine" to "Security Group workflow" in the remote vRO by means of the Multi-Node Execute workflow.
    • 8) checking two conditions in a vRA (vRealize Automation):
      • if Pod is DR Enabled and
      • if VM is part of a DR Security Group, by means of SSR (20) (1IAAS206a) ADD VM to Security Group Workflow from Master vRO (8) and :
        • If both conditions are met, DR IP address is taken from vRA for selected VM and Add VM to Security Group Wrapper is triggered again the DR Pod (11a) (step 7)
        • If any of the conditions is not met workflow jumps to the next step 9
    • 9) updating CMDB (5) gets through REST call
    • 10) updating the Request status by SSR (20) workflow dispatcher through REST call
  • In some embodiments, a set of software codes is executed on the platform for removing a virtual server to a security group (not illustrated in the present invention) and, said removing a virtual server to a security group comprising for the following steps:
    • 1) Inviting a user to fill in a form and submit it in ServiceNow (2) through an interactive interface of the CMPP (1);
    • 2) creating REST API (3) call and putting it in ServiceNow (2) ECC queue
    • 3) making a periodical SOAP call to ServiceNow (2) to retrieve REST API (3) call by means of the MID Server (6)
    • 4) passing REST API (3) Call, by means of the MID Server (6), to Master vRO (8) to call a SSR (20) (1IAAS206b) Remove virtual server Workflow
    • 5) triggering SSR (20) Workflow Dispatcher with following inputs
      • WorfklowID (Friendly name of the vRO workflow to be execute)
      • Json (containing Parameters with input parameter for workflow to be executed)
      • RITMID (identifier of the request in SNOW that will be updated with status by SSR (20) Workflow dispatcher workflow)
    • 6) triggering the SSR (20) (1AAS206b) Remove virtual server Workflow passing all input parameters by means of the SSR (20) Workflow Dispatcher
    • 7) preparing, by means of the SSR (20) (1AAS206b) "Remove virtual server Workflow", Properties basing on the input parameters that will be assigned to VCAC (vCloud Administrator Center) Virtual Machine
    • 8) checking DPC Version and calling the Remove VM from Security Wrapper workflow by means of the SSR (20) (1AAS206b) Remove virtual server Workflow and then calling the multi-node workflow by using the Remove VM from Security Wrapper and the Remove VM from Security in the remote vRO gets executed
    • 9) removing IPSet object from NSX Security Group by means of Slave workflow
    • 10) Removing Virtual Machine from a Security Group Workflow from Master vRO (8), checking in vRA if Pod is DR Enabled and if Virtual Machine is part of a DR Security Group by using SSR (20) (1AAS206b) Remove virtual server Workflow:
      • If both conditions are met, DR IP address is taken from vRA for selected VM and "Remove VM" from Security Group Wrapper is triggered again in the DR Pod (11a) (step 8)
      • If any of the conditions is not met workflow jumps to the next step 10
    • 11) updating CMDB (5) through REST call and removing VM is from the Security Group
    • 12) updating the Request status by SSR (20) workflow dispatcher through REST call
  • In some embodiments, a set of software codes is executed on the platform for configuring a SDN security group rule, said configuring a SDN security group rule process comprising at least one of the sub-steps:
    • Creating a SDN security group rule
    • Modifying a SDN security group rule
    • Deleting SDN security group rule
  • In some embodiments, a set of software codes is executed on the platform for creating a SDN security group rule, said creating a SDN security group rule comprising, as illustrated on Figure 5:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • passing the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • triggering (E3) SNOW Workflow Dispatcher with following input
      • WorfklowID (Friendly name of the vRO workflow to be executed)
      • Json (containing Parameters with input parameter for workflow to be executed)
      • RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
    • triggering (C200) a SSR (20) (1AAS310a) "create SDN security group rule" Workflow passing all input parameters by means of the SNOW Workflow Dispatcher
    • calling (C201) Create NSX Firewall Rule Wrapper workflow
    • creating (C206) Inputs for the Create NSX Firewall Rule workflow and passing them through to the workflow via the Multi-Node Execute workflow wrapper
    • creating (C207) an NSX Firewall Rule under a new or existing Firewall section within the Create NSX Firewall Rule workflow on the slave POD
    • executing (C202) the Provision Firewall Rule CI in SNOW CMDB (5) workflow to keep CMDB (5) up to date at return to the main ACCP (Atos cloud control platform) workflow after successful Firewall rule creation
    • executing (C2022) Modify NSX Firewall Rule Wrapper workflow to rename new firewall rule name with identity of database CMDB (5) id
    • executing (C204) Disaster recovery (DR) Enabled entry check
    • calling (C205) DR Create NSX Firewall Rule Wrapper workflow
    • creating (C206) Inputs for the DR Create NSX Firewall Rule Wrapper workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper.
  • In some embodiments, a set of software codes is executed on the platform for modifying a SDN security group rule, said modifying a SDN security group rule process comprising, as illustrated on Figure 6:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • passing the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • triggering (E3) SNOW Workflow Dispatcher with following input
      • WorfklowlD (Friendly name of the Master vRO (8) workflow to be executed)
      • Json (containing Parameters with input parameter for workflow to be executed)
      • RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
    • Triggering (M200) a SSR (20) "Modify SDN security group rule Workflow" passing all input parameters by means of the SNOW Workflow Dispatcher
    • calling (M201) the Modify NSX Firewall Rule Wrapper workflow
    • creating (M205) Inputs for the Modify NSX Firewall (FW) Rule workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper
    • modifying (M206) an NSX Firewall Rule under an existing Firewall section within the Modify NSX Firewall Rule workflow on the slave POD,
    • checking (M202) whether DR Pod (11a) and DR Location information was sent from snow at the return to the main ACCP workflow after a successful FW rule modification, If yes - calling (M204) the same wrapper workflow for DR Pod (11a) and making same modifications to DR Firewall Rule, the Firewall Rule on DR site being searched by name + DR suffix.
    • If no, executing (M203) Provision Firewall Rule CI in SNOW CMDB (5) workflow to keep CMDB (5) up to date (E2032)
    • Updating (E32) the Status of the request to SNOW via REST API (3) by means of the Snow Workflow Dispatcher.
  • In some embodiments, a set of software codes is executed on the platform for deleting SDN security group rule, said deleting SDN security group rule process comprising, as illustrated on Figure 7:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • calling REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (D200) SSR (20) Delete SDN Security group Rule workflow by dispatcher
    • triggering (D201) Delete NSX Firewall Rule wrapper by means of the Master workflow
    • triggering (D205) remote workflow on slave vRo (9) by means of the NSX Firewall Rule wrapper
    • updating (D206) data on NSX via REST API (3) by means of Slave vRo (9) workflow
    • If DR Pod (11a) exists (D202), then triggering (D201', D205' and D206' respectively) in the same way removing of Firewall Rule in Slave vRo (9) of DR Pod (11a).
    • triggering (D204) Provision/Decommission Firewall Rule CI in CMDB (5) workflow by means of the Master workflow (Master vRO (8) workflow).
    • updating (E2042) CMDB (5)
    • updating (E32) the Status of the request to SNOW via REST API (3) by means of the Master Snow Workflow Dispatcher (21).
  • In some embodiments, the system for managing security, as described in the present application, may be used in a server for managed PaaS (Platform as a service) comprising, in a container-based architecture, at least a processor and memories to save data and executable softwares so as to embed a cloud application software into a fully managed PaaS stack, abstracting complex hybrid Infrastructure as a Service (IaaS) away. The SNOW application of the system for managing security may represent a first layer of said server for managed PaaS, executed on at least a processor and configured to:
    • parse and orchestrate a cloud service requested to consume from the cloud service user request,
    • to select the cloud computing services and/or resources provided by the cloud service provider and/or a function mode,
    • execute a cloud service operation and make end to end management in the cloud through dialog
      • with a second layer represented by a Cloud Application (for example, and without limitation, Apprenda) integrated software for application transformation and
      • a third layer represented by other integrated softwares for infrastructure brokering with a public cloud (for example and without limitation Amazon Web Services (AWS)) managed by the integrated softwares.
  • In some embodiments, the SNOW application is executed on the server for managed PaaS and displayed on a console adapted to the cloud application integrated software (Apprenda) by integrating a specific API configured to interface the SNOW (ServiceNow (2)) application language and command to the language and command of the cloud Application integrated software (Apprenda).
  • In some embodiments, the system for managing security, as described in the present application, may be used in an orchestrate Hybrid cloud system wherein a SAP (Systems, Applications and Products for data processing) administration is supported by said security management system for security audit and backup monitoring purpose and provisioning by:
    • distribution of SAP monitoring templates by automatically provisioning of computing resources in virtual environments;
    • software control and distribution for distributing of monitoring agents;
    • patch management for providing regular patching of monitoring agents
    • security compliancy for satisfying security compliance according rules, laws and IT Controls
    • system management for providing system administration task automation, central administration, Inventory, detailed software inventory for SAP and used as data source for CMDB (5) (Cloud management database).
  • In some embodiments, the SNOW application execution, of the system for managing security used in the Orchestrated Hybrid Cloud system, on a processor of a computing device of the Orchestrated Hybrid cloud system, provides an interface for enabling a user to determine any of the following parameters:
    • time window for support availability
    • time window for incident handling depending on priority
    • time window for change handling
    • Enterprise resource planning (ERP) dialog response time
    • virtual relational database management system (such as Hana) server size
    • physical relational database management system (such as Hana) server size
    • initial and minimal relational database management system (such as Hana) storage size
    • data recovery parameter such as RPO (recovery point objective), or RTO (recovery time objective)
  • It should be understood that the enumeration of the steps of any process described in the present application does not represent the sequential order of the steps in which the process should be executed but could be modified by executing a step before others. The sequential order could be modified by the man skilled in the art.
  • It will be easily understood upon reading the present application that the particularities of the present invention, as generally described and illustrated in the figures, may be arranged and designed according to a great variety of different configurations. Thus, the description of the present invention and the related figures are not provided for limiting the scope of the invention but simply illustrating selected embodiments.
  • One skilled in the art will understand that the technical features of a given embodiment may in fact be combined with features of another embodiment unless the opposite is explicitly mentioned or if it is obvious that these features are incompatible. Further, the technical features described in a given embodiment may be isolated from the other features of this embodiment unless the opposite is explicitly mentioned.
  • It should be obvious for persons skilled in the art that the present invention allows embodiments under many other specific forms without departing from the field defined by the scope of the appended claims, these embodiments should be considered as an illustration and the invention should not be limited to the details given above.

Claims (16)

  1. A system for managing security on a cloud management platform portal (CMPP (1)), the system comprising a set of routines (scripts) which are executed on a computing device or processor allowing the cloud management platform portal to contact a cloud automation service (CAS (4)) by using a REST API (3) (Representational State Transfer Application Programing Interface) to access and configure a set of functionalities of the CAS (4) of the platform hosting services in a portal so as to provision services to a customer, and a ServiceNow (2) (SNOW) application comprising at least one the set of herebelow routines comprising at least one of the following:
    • a network Standard Service Request (SSR (20)) to delete a security group (SG)
    • a network SSR (20) to create a new Security group
    • a network SSR (20) to modify an existing Security group
    • a network activity SSR (20) to delete a Software-Defined Networking (SDN) Security group rule on hyper-converged platforms
    • a network activity SSR (20) to create a new SDN Security group rule on hyper-converged platforms
    • a network activity SSR (20) to modify an existing SDN (Software defined Networking) Security group rule on hyper-converged platforms
  2. A system for managing security on a cloud management platform portal (CMPP (1)) according to claim 1, characterized in that it comprises a set of routines which execution on a processor provides to the CMPP (1) a set of functionalities and applications comprising at least:
    • a ServiceNow (2) (SNOW) application comprising the above set of SSRs (20) for delivering a set of services and comprising a Master Snow Workflow Dispatcher (21) (MSWD)
    • a REST API (3) (Representational State Transfer Application Programing Interface)
    • a MID (MID Server (6) is a Java application that runs on a server on your local network) server for allowing communication and movement of data between the platform and external applications, data sources, and services or for passing a call to a Master vRO (8) dispatcher
    • A Master vRO (8) (vRealize Orchestrator) for automation of workflow processes
    • A slave vRo (9) for automation of workflow processes
    • A set of Security Group Applications (SGA (11B)) for implementing processes related to security group set up
    • A Disaster recovery (DR) Pod application for hosting workloads after disaster occurs in the primary site
    • a cloud Management database (CMDB (5)).
  3. A system for managing security on a cloud management platform portal (CMPP (1)) according to claim 2, characterized in that the set of functionalities and applications also comprises:
    • a set of SDN security group rule applications for implementing processes related to security group rule set up
    • a NSX (7) Firewall comprising distributed and edge firewall
    • a SSR (20) workflow dispatcher
  4. A process for managing a security group on a cloud management platform portal by means of a system for managing security as described in claim 1, the system comprising a set of software codes executed on a processor the platform to implement the process for managing a security group, said process being characterized in that it comprises at least one of the following :
    • Creating a security group (SG)
    • Modifying an existing security group
    • Deleting a security group
    • Adding server to a security group
    • Removing a virtual server to a security group
    • Configuring a SDN security group rule
  5. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 4 wherein a set of software codes is executed on the platform for creating a security group (SG), said creation of a security group process comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface (10) of the CMPP (1);
    • Calling a REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6) ;
    • calling (C100) a SSR (20) "Create a Security group workflow" by means of the Master vRO (8) dispatcher controlling the Master worflows
    • triggering (C101, C102) a "Create Security group wrapper" by means of a Master workflow
    • triggering (C108, 108') a remote workflow on slave vRo (9) by means of the Security Group Wrapper
    • updating (C109, 109') data on a NSX firewall via REST API (3) by means of the Slave vRo (9) workflow
    • triggering (C104) Provision Security Group Configuration Item in CMDB (5) workflow by means of the Master workflow
    • triggering (E1042) Modify Name of Security Group belonging to the "Modify SG " SSR (20) with Sys_id Wrapper (which is returned by CMDB (5)) workflow by means of the Master vRO (8) workflow.
    • Modifying Name and description of Security Group via REST API (3) by means of the Slave vRo (9) workflow
    • If DR Pod (11a) exists (C105), then triggering in the same way creation of Security Group (C109') in Slave vRo (9) of DR Pod (11a) (steps C106, C107)
    • updating (E32) the status of the request to SNOW via REST API (3) by means of the Master Snow Workflow Dispatcher (21).
  6. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 4 wherein a set of software codes is executed on the platform for modifying an existing security group, said modification of an existing security group process comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • Calling a REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (M100) a SSR (20) "Modifying a security group workflow" by means of the Master vRO (8) dispatcher
    • triggering (M101) Modify a Security group wrapper by means of the Master workflow
    • triggering (M107, M107') remote workflow on slave vRo (9) by means of the security group Wrapper
    • updating (M108, M108') data on a NSX firewall by means of Slave vRo (9) workflow via REST API (3)
    • If DR Pod (11a) exists (M104), then triggering the same way, modification of Security Group in Slave vRo (9) of DR Pod (11a) (M105, M106)
    • updating (E32) the Status of the request to SNOW by means of the Snow Workflow Dispatcher (MSWD) via REST API (3)
  7. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 5 wherein a set of software codes is executed on the platform for deleting a security group, said deletion of a security group process comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • Calling a REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (D100) a SSR (20) "deleting a security group workflow" by means of the Master vRO (8) dispatcher
    • triggering (D101) Delete Security group wrapper by means of the Master workflow or triggering (D102) "APPLY_ON" SG Delete Security group wrapper by means Master workflow
    • triggering (D108) remote workflow on slave vRo (9) by means of the delete Security Group Wrapper
    • updating (D109) data on NSX (7) by means of the Slave vRo (9) workflow via REST API (3)
    • If DR Pod (11a) exists (D104), then triggering (D106, D107, D103', D108' and D109') in the same way removing of Security Groups in Slave vRo (9) of DR Pod (11a)
    • triggering (D105) Provision Security Group Configuration Items in CMDB (5) workflow by means of the Master workflow, if DR Pod (11a) does not exist
    • updating (E1052) CMDB (5) security group Configuration Items by means of Provision Security Group CI in CMDB (5) workflow via Snow REST API (3)
    • updating (E32) the Status of the request to SNOW by means of the Snow Workflow Dispatcher via REST API (3)
  8. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 4 wherein a set of software codes is executed on the platform for configuring a SDN security group rule, said configuration of a SDN security group rule process comprising at least one of the sub-steps:
    • Creating a SDN security group rule
    • Modifying a SDN security group rule
    • Deleting SDN security group rule
  9. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 10 wherein a set of software codes is executed on the platform for creating a SDN security group rule, said creation of a SDN security group rule process, comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • passing the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • triggering (E3) SNOW Workflow Dispatcher with following input
    - WorfklowID (Friendly name of the vRO workflow to be executed)
    - Json (containing Parameters with input parameter for workflow to be executed)
    - RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
    • triggering (C200) a SSR (20) "create SDN security group rule" Workflow passing all input parameters by means of the SNOW Workflow Dispatcher
    • calling (C201) Create NSX Firewall Rule Wrapper workflow
    • creating (C206) Inputs for the Create NSX Firewall Rule workflow and passing them through to the workflow via the Multi-Node Execute workflow wrapper
    • creating (C207) an NSX Firewall Rule under a new or existing Firewall section within the Create NSX Firewall Rule workflow on the slave POD
    • executing (C202) the Provision Firewall Rule CI in SNOW CMDB (5) workflow to keep CMDB (5) up to date at return to the main ACCP (Atos cloud control platform) workflow after successful Firewall rule creation
    • executing (C2022) Modify NSX Firewall Rule Wrapper workflow to rename new firewall rule name with identity of database CMDB (5) id
    • executing (C204) Disaster recovery (DR) Enabled entry check
    • calling (C205) DR Create NSX Firewall Rule Wrapper workflow
    • creating (C206) Inputs for the DR Create NSX Firewall Rule Wrapper workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper
  10. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 10 wherein a set of software codes is executed on the platform for modifying a SDN security group rule, said modification of a SDN security group rule process comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • passing the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • triggering (E3) SNOW Workflow Dispatcher with following input
    - WorfklowlD (Friendly name of the Master vRO (8) workflow to be executed)
    - Json (containing Parameters with input parameter for workflow to be executed)
    - RITMID (identifier of the request in SNOW that will be updated with status by SNOW Workflow dispatcher workflow)
    • triggering (M200) a SSR (20) "Modify SDN security group rule Workflow" passing all input parameters by means of the SNOW Workflow Dispatcher
    • calling (M201) the Modify NSX Firewall Rule Wrapper workflow
    • creating (M205) Inputs for the Modify NSX Firewall (FW) Rule workflow and passing them through to the workflow via a Multi-Node Execute workflow wrapper
    • modifying (M206) an NSX Firewall Rule under an existing Firewall section within the Modify NSX Firewall Rule workflow on the slave POD, is
    • checking (M202) whether DR Pod (11a) and DR Location information was sent from snow at the return to the main ACCP workflow after a successful FW rule modification, If yes - calling (M204) the same wrapper workflow for DR Pod (11a) and making same modifications to DR Firewall Rule, the Firewall Rule on DR site being searched by name + DR suffix.
    • If no, executing (M203) Provision Firewall Rule CI in SNOW CMDB (5) workflow to keep CMDB (5) up to date (E2032)
    • Updating (E32) the Status of the request to SNOW via REST API (3) by means of the Snow Workflow Dispatcher.
  11. A process for managing security group on a cloud management platform portal (CMPP (1)) according to claim 10 wherein a set of software codes is executed on the platform for deleting a SDN security group rule, said deletion of a SDN security group rule process comprising:
    • Inviting (E1) a user to fill in a form and submit it (E2) in ServiceNow (2) through an interactive interface of the CMPP (1)
    • calling REST API (3) call
    • passing (E3) the call to Master vRO (8) dispatcher by means of the MID Server (6)
    • calling (D200) SSR (20) Delete SDN Security group Rule workflow by dispatcher
    • triggering (D201) Delete NSX Firewall Rule wrapper by means of the Master workflow
    • triggering (D205) remote workflow on slave vRo (9) by means of the NSX Firewall Rule wrapper
    • updating (D206) data on NSX via REST API (3) by means of Slave vRo (9) workflow
    • If DR Pod (11a) exists (D202), then triggering (D201', D205' and D206' respectively) in the same way removing of Firewall Rule in Slave vRo (9) of DR Pod (11a).
    • triggering (D204) Provision/Decommission Firewall Rule CI in CMDB (5) workflow by means of the Master workflow (Master vRO (8) workflow).
    • updating (E2042) CMDB (5)
    • updating (E32) the Status of the request to SNOW via REST API (3) by means of the Master Snow Workflow Dispatcher (21).
  12. Use of the system for managing security, according claim 1, in a server for managed PaaS (Platform as a service) comprising, in a container-based architecture, at least a processor and memories to save data and executable softwares so as to embed a cloud application software into a fully managed PaaS stack, abstracting complex hybrid Infrastructure as a Service (IaaS) away, said server being characterized in that the SNOW application of the for managing security represents a first layer of said server, executed on at least a processor and is configured to:
    • parse and orchestrate a cloud service requested to consume from the cloud service user request
    • to select the cloud computing services and/or resources provided by the cloud service provider and/or a function mode,
    • execute a cloud service operation. and make end to end management in the cloud through dialog
    - with a second layer represented by a Cloud Application integrated software for application transformation and
    - a third layer represented by integrated softwares for infrastructure brokering with the public cloud managed by the integrated softwares.
  13. Use of the system for managing security in a server according claim 14 wherein the SNOW application is executed on the server and displayed on a console adapted to the cloud application integrated software by integrating a specific API configured to interface the SNOW (ServiceNow (2)) application language and command to the language and command of the cloud Application integrated software.
  14. Use of the system for managing security, according to claim 1, in an orchestrate Hybrid cloud system wherein a SAP (Systems, Applications and Products for data processing) administration is supported by said security management system for security audit and backup monitoring purpose and provisioning by:
    • Distribution of SAP monitoring templates by Automatically provisioning of computing resources in virtual environments
    • Software Control and Distribution for Distributing of Monitoring agents
    • Patch Management for providing Regular patching of Monitoring agents
    • Security Compliancy for satisfying Security compliance according rules, laws and IT Controls
    • System Management for providing System administration task automation, central administration, Inventory, Detailed software inventory for SAP and Used as data source for CMDB (5)
  15. Use of the system for managing security in an Orchestrated Hybrid Cloud system according to claim 16, wherein the SNOW application execution, on a processor of a computing device of the Hybrid cloud system, provides an interface for enabling a user to determine any of the following parameters:
    • time window for support availability
    • time window for incident handling depending on priority
    • time window for change handling
    • Enterprise resource planning (ERP) dialog response time
    • virtual relational database management system (such as Hana) server size
    • physical relational database management system (such as Hana) server size
    • initial and minimal relational database management system (such as Hana) storage size
    • data recovery parameter such as RPO (recovery point objective), or RTO (recovery time objective)
EP19217193.2A 2019-12-17 2019-12-17 Integration of an orchestration services with a cloud automation services Pending EP3839734A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP19217193.2A EP3839734A1 (en) 2019-12-17 2019-12-17 Integration of an orchestration services with a cloud automation services
US17/123,894 US11902329B2 (en) 2019-12-17 2020-12-16 Integration of an orchestration services with a cloud automation services

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP19217193.2A EP3839734A1 (en) 2019-12-17 2019-12-17 Integration of an orchestration services with a cloud automation services

Publications (1)

Publication Number Publication Date
EP3839734A1 true EP3839734A1 (en) 2021-06-23

Family

ID=68944336

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19217193.2A Pending EP3839734A1 (en) 2019-12-17 2019-12-17 Integration of an orchestration services with a cloud automation services

Country Status (2)

Country Link
US (1) US11902329B2 (en)
EP (1) EP3839734A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11442669B1 (en) 2018-03-15 2022-09-13 Pure Storage, Inc. Orchestrating a virtual storage system
US12066900B2 (en) 2018-03-15 2024-08-20 Pure Storage, Inc. Managing disaster recovery to cloud computing environment
WO2023050070A1 (en) * 2021-09-28 2023-04-06 中远海运科技股份有限公司 Method and device for cloud host total traffic network access protection
US12056034B2 (en) * 2022-01-07 2024-08-06 Jpmorgan Chase Bank, N.A. System and method for automatically monitoring performance of software robots

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012021324A2 (en) * 2010-08-12 2012-02-16 Unisys Corporation Moving enterprise software applications to a cloud domain
US20160065417A1 (en) * 2013-03-15 2016-03-03 Gravitant, Inc Fulfillment of cloud service orders
FR3075528A1 (en) * 2017-12-19 2019-06-21 Atos Uk International It Services Limited ORCHESTRA HYBRID CLOUD SYSTEM FOR SAP
WO2019121679A1 (en) * 2017-12-21 2019-06-27 Atos International B.V. Cloud management platform
WO2019121677A1 (en) * 2017-12-19 2019-06-27 Atos Information Technology GmbH Managed public cloud

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9069599B2 (en) * 2008-06-19 2015-06-30 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US8914406B1 (en) * 2012-02-01 2014-12-16 Vorstack, Inc. Scalable network security with fast response protocol
US20180027006A1 (en) * 2015-02-24 2018-01-25 Cloudlock, Inc. System and method for securing an enterprise computing environment
US10171507B2 (en) * 2016-05-19 2019-01-01 Cisco Technology, Inc. Microsegmentation in heterogeneous software defined networking environments
US10645087B2 (en) * 2017-06-06 2020-05-05 Amgen Inc. Centralized authenticating abstraction layer with adaptive assembly line pathways
US10666508B2 (en) * 2017-06-09 2020-05-26 Nicira, Inc. Unified software defined networking configuration management over multiple hosting environments
US11169815B2 (en) * 2018-01-16 2021-11-09 Bby Solutions, Inc. Method and system for automation tool set for server maintenance actions
US20190356697A1 (en) * 2018-05-15 2019-11-21 Nicira, Inc. Methods and apparatus to assign security in networked computing environments
US10999326B1 (en) * 2018-05-30 2021-05-04 Tigera, Inc. Fine grained network security
US10708230B2 (en) * 2018-06-14 2020-07-07 Servicenow, Inc. Systems and methods for firewall configuration using block lists
US11108859B2 (en) * 2018-07-02 2021-08-31 Accenture Global Solutions Limited Intelligent backup and recovery of cloud computing environment
US10826770B2 (en) * 2018-07-26 2020-11-03 Cisco Technology, Inc. Synthesis of models for networks using automated boolean learning
US11537627B1 (en) * 2018-09-28 2022-12-27 Splunk Inc. Information technology networked cloud service monitoring
US11315044B2 (en) * 2018-11-08 2022-04-26 Vmware, Inc. Multi dimensional scale analysis using machine learning
US10924344B2 (en) * 2019-04-11 2021-02-16 Servicenow, Inc. Discovery and mapping of cloud-based resource modifications
US10798084B1 (en) * 2019-04-30 2020-10-06 Sailpoint Technologies, Inc. System and method for identity management of cloud based computing services in identity management artificial intelligence systems
US20210021471A1 (en) * 2019-07-15 2021-01-21 Microsoft Technology Licensing, Llc Techniques for managing virtual networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012021324A2 (en) * 2010-08-12 2012-02-16 Unisys Corporation Moving enterprise software applications to a cloud domain
US20160065417A1 (en) * 2013-03-15 2016-03-03 Gravitant, Inc Fulfillment of cloud service orders
FR3075528A1 (en) * 2017-12-19 2019-06-21 Atos Uk International It Services Limited ORCHESTRA HYBRID CLOUD SYSTEM FOR SAP
WO2019121677A1 (en) * 2017-12-19 2019-06-27 Atos Information Technology GmbH Managed public cloud
WO2019121679A1 (en) * 2017-12-21 2019-06-27 Atos International B.V. Cloud management platform

Also Published As

Publication number Publication date
US11902329B2 (en) 2024-02-13
US20210185007A1 (en) 2021-06-17

Similar Documents

Publication Publication Date Title
CN110535831B (en) Kubernetes and network domain-based cluster security management method and device and storage medium
US10367802B2 (en) Desktop application fulfillment platform with multiple authentication mechanisms
US11902329B2 (en) Integration of an orchestration services with a cloud automation services
US10318265B1 (en) Template generation for deployable units
US11409719B2 (en) Co-locating microservice persistence containers within tenant-specific database
US9330102B2 (en) Multi-tenant platform-as-a-service (PaaS) system implemented in a cloud computing environment
US8316125B2 (en) Methods and systems for automated migration of cloud processes to external clouds
US11363117B2 (en) Software-specific auto scaling
US11068136B1 (en) Application fulfillment platform with automated license management mechanisms
US10552796B1 (en) Approval service in a catalog service platform
CN107967140B (en) Software modification initiating method, metadata publishing method and device
US10572842B1 (en) Notification service for managing actionable messages from backend services
US10356155B2 (en) Service onboarding
US20200136930A1 (en) Application environment provisioning
WO2015038241A1 (en) Methods, systems, and computer readable mediums for updating components in a converged infrastructure system
US20190332423A1 (en) Workflow Service for a Cloud Foundry Platform
WO2012175638A1 (en) A method of provisioning a cloud-based render farm
US11119817B2 (en) Breaking dependence of distributed service containers
Van't Hof et al. Androne: Virtual drone computing in the cloud
US20140337746A1 (en) Dynamically grouping monitored resources in a cloud environment to collections representing a composite application
CN110798504A (en) Method, device, management equipment and storage medium for cross-region sharing service
US20240004686A1 (en) Custom resource definition based configuration management
KR101544487B1 (en) Virtual desktop service system for client that has multiple user accounts
CN118056184A (en) Techniques for providing cloud services on demand
CN114489954A (en) Tenant creation method based on virtualization platform, tenant access method and equipment

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210409

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: AGARIK SAS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20221128

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230330